This discussion is exactly what I was afraid of when we were discussing
codebases, and I think it will happen again and again. Codebases are
abstract, ambiguous notions, and the result could be an ambiguous CVE.
Let me throw something in the air and see if it will fly. We have been
thinking along the lines of "one CVE entry = one vulnerability". However,
could we represent more than one vulnerability instance by a CVE entry? We
already have done so with the password CVE entries (Cluster 18 - PASS). I
think of those as "Exploding" CVE entries. That is, think of each CVE
entry as a compact notation for unambiguously signifying the existence of
several vulnerabilities, specified with a list of *different instances* of
the same problem. Could we not use this over all the database? It may be
understood that each OS, distribution (with version numbers, please!) has a
different vulnerability that fits the observables in the description.
Hence, the Ping o' Death entry could look like:
Candidate: CAN-1999-0128
Reference: XF:ping-death
Reference: CERT:CA-96.26.ping
Oversized ICMP ping packets can result in a denial of service,
aka Ping o' Death.
Instances:
-Digital Unix 3.0x, 3.2x, 4.0, 4.0a and products based on these
-FreeBSD v prior to 2.1.6
-HPUX 9.x, 10.00-10.20,
-AIX 3.2, 4.1, 4.2
-Linux kernels prior to 2.0.27
-OSF/1 prior to R1.3.3
-SCO OpenServer 5.0.0, 5.0.2
SCO Internet FastStart 1.0.0, 1.1.0
SCO Open Desktop 3.0
SCO TCP/IP 1.2.1 on SCO Unix System V/386 Release 3.2 Version 4.2
-Solaris, unpatched versions prior to 5.51
I think it would be a waste of bits to have a dozen different CVE entries
for this, while the sub-enumeration unambiguously specifies that the
underlying code may be different.
Pascal
>On Mon, Jul 12, 1999 at 09:52:28PM -0500, Gene Spafford wrote:
>
>| >Candidate: CAN-1999-0128
>| >Reference: XF:ping-death
>| >Reference: CERT:CA-96.26.ping
>| >
>| >Oversized ICMP ping packets can result in a denial of service,
>| >aka Ping o' Death.
>| >
>| >
>| >AFFECTED OSes:
>| > Digital Unix, FreeBSD, HPUX, AIX, IRIX, Linux, OSF/1, SCO, Solaris
>| >
>| >QUESTION: is the appropriate codebase "Unix"? Or do we separate it
>| >into BSD and System V? Or each individual OS?
>|
>| Systems that used the old BSD IP stack have this problem. The Linux
>| stack was developed independently, as was (I believe) AIX. All of
>| the others derived from the same underlying IP code. However, each
>| one has undergone quite a bit of change.
>
>| MacOS is also vulnerable in some versions. I believe VMS and
>| NextStep were too.
>|
>| So here we have the problem of defining "same."
>|
>| Me feeling would be to split out each independent OS unless we know
>| they use the same underlying code.
>
>It seems clear to me that the relevant logic that leads to the system
>crashing while processing ICMP have not changed. My definition of
>codebase change and Spaf's seem to be different.
>
>We agree on expresserve, which I've elided, and disagree on rlogin:
>
>| >QUESTIONS:
>| > With rlogin being an old program and so many Unices being affected,
>| > do we say this is just one codebase? What does it tell us (if
>| > anything) to see that the problem had already been fixed in Linux
>| > and NetBSD before the CERT advisory was released?
>|
>| rlogin is the codebase. It was the same on almost all these systems.
>|
>| The Linux and NetBSD versions were fixed before the advisory because
>| they had groups doing proactive security screening. It doesn't
>| change that the code base for rlogin was basically the same.
>
>Here is the core of our disagreement. That linux and NetBSD code was
>audited and changed to prevent the bug from working is the essense of
>a codebase change thats relevant to the CVE. Code changes that don't
>affect the vulnerability don't matter, because from the CVE viewpoint,
>they're not code changes.
>
>Adam